Disabling right click doesn't prevent a person from using web developer toolkits. These can and will allow the person to alter html, javascript and css code. Meaning the person will still be able to download your images and fool your client side security.
–
HTDutchyFeb 21 '13 at 10:24

70

Sure it does, it makes more site more hated thus more hackable
–
Mite MitreskiFeb 21 '13 at 10:28

13

I'd like to point out that regardless of whether or not this practice affects the physical security of a site it does contribute to the perceived security of the site from the general populace.
–
Chris KerekesFeb 21 '13 at 14:27

7

@ChrisKerekes I've never heard this claim, I'm curious to know if there's some article or such you can site that talks about affecting the perceived security of the site from the general populace?
–
SpellingDFeb 21 '13 at 17:17

3

@SpellingD, The Psychology of Security is article from Bruce Schneier, author of a number of encryption and security books published by Wiley. Disclaimer: I have not read the article in it's entirety.
–
Chris KerekesFeb 21 '13 at 19:16

10 Answers
10

No, it doesn't alter anything other than your ability to conveniently save items from a page. Using a browser's developer mode, turning off JS, overriding this with a different script that disables that pop-up, or just grabbing data off the wire after stripping the SSL will all work.

Is it a good general practice?

This is an ache that the Internet has had to suffer from the height of GeoCities fame when folks didn't want you to "steal" their very poorly composed photos of dandelions and family pets. Dispensing all professionalism and being straight-forward as possible, I might hesitate to convict a person for smacking the responsible party of any modern site using this upside the head with a cast iron skillet. Aside from that it has generally fallen out of favor due to being a combination of ineffective and annoying. For instance, it would also make my spellchecker misbehave.

Also, anyone who thinks that this somehow improves security really shouldn't be trusted with a freaking banking site. I'd like to know which bank this is so I can avoid ever using its internet banking functionality...
–
ShadurFeb 21 '13 at 10:30

9

@Shadur: Well banking websites notoriously do stupid things.. It often happens that your password must be a "PIN" which must be 4 numbers, no letters, no longer and no shorter /shrug
–
Andreas BoniniFeb 21 '13 at 12:33

5

+1 Just for the enduring image of the Skillet and the tell-tale "Spang" noise we all know it would make! :)
–
James SnellFeb 21 '13 at 13:25

5

Zero benefit. Anyone savvy enough to "hack" will not be thwarted by not being able to right click. It disables only the action of a right click, and not the functionality provided by right clicking."I've made it past the 1024 bit encryption, now if only I could right click on this damn image..."
–
eskimoFeb 22 '13 at 12:34

Client side security is just a smokescreen. It will prevent inexperienced people from saving the images or messing with the HTML, but one can easily disable this with a single line of injected javascript. You can mess with the HTML even without this line of JS, using Chrome Inspector.

When this trick is used to keep images "secure":

I've seen a lot of tricks used by sites to avoid images being fetched. One, of course, is trapping the right click bubble. The other is to overlay two images (or to use a CSS background-image:url()), making the first one 'inaccessible' to right click. But that will only prevent the folks that don't know much more than "right click>save image as".

Is it a good practice? Probably not. It's still very easy for people to get the image. But yeah, if you want to cull the pool of possible "thieves", I guess it's OK to do. Still, you should come to terms with the fact that once you send something to the client, it can be stolen.

When this trick is used to keep the website "secure"

Please don't do this. Your security should be on your server-side. Client side security should be in the form of CSRF/clickjacking preventions. Not in the form of "making the source code difficult to mess with". Because it always can be messed with.

Anyone who really wants the image is going to be able to get it unless they're terminally incompetent at web browsing. I'd hesitate to say disabling right click would do more than slow anyone down.
–
ShadurFeb 21 '13 at 10:28

@fgysin: I right-click>open image in new tab. Then I save. If it's not what I wanted, I Chrome-inspector the page and drag the real URL out kicking and screaming :P
–
ManishearthFeb 21 '13 at 16:18

Ah, this brings back memories of a buddy of mine in college thinking he'd made a "secure" image DRM and challenged me to break it. He was so surprised when I brought in the image the next day after having pulled the details of the image right out of the packet traffic and recomposed it in to a data file. Now it's even easier, but then I had to make my own tool.
–
AJ HendersonFeb 21 '13 at 18:06

3

The all-time favorite time saver... You come across an image that's displayed at full resolution on the web... You're running Windows 7... Easier than rubber-banding a lamb for wetherization purposes, we give you the Snipping tool. Instantly castrates any right-click silliness or image protection silliness in one simple drag.
–
Fiasco LabsFeb 22 '13 at 7:32

@FiascoLabs: Yeppers. Shift-PrintScrn on Ubuntu for me, but same principle. However, I like my images to be perfect without any border issues :P
–
ManishearthFeb 22 '13 at 7:38

I actually think it might compromise security by a fraction. The one who are prevented by the disabling of the button would never be able to compromise the security at all. But disabling the right click might annoy someone who can get past it to do exactly that, and by doing that breaking down a small barrier that might lead the person to continue hacking.

Another point is that "features" like this might lead a potential hacker to question the skills of the implementers of the site, which also is something that might entice hacker to "check out" the implementation.

Of course this is just psychology and have nothing to do with the actual security of the site, but still a valid point I think.

Maybe a stronger support to your premise is that more code = more opportunity for bugs.
–
LadadadadaFeb 21 '13 at 8:47

8

In fact, i would strongly question the ability of the people who think this improves security to write other secure code.
–
DorusFeb 21 '13 at 10:02

11

What exactly is in a browser's context menu that can harm the security of a banking site (or, for that matter, any site)? I checked mine, and there's no ‘Crack banking encryption’ option. :) If your security relies on people not downloading assets from the web server, you're getting compromised thousands of times a day — there's no distinction between displaying and downloading. Browsers are just complex file download engines.
–
AlexiosFeb 21 '13 at 10:40

@Adnan It is more like, "this site prevents me from right clicking, I wonder why/how?" This small question might lead to investigation in the client code and suddenly- "Looks like this site is prone to sql-injections"
–
daramarakFeb 23 '13 at 2:39

On a banking website I see that they have disabled right-click. Does that make the site any more secure?

No. Out of the top of my head:

you can use greasemonkey to remove their right-click functionality on page load.

you can save the web page, then open it in your favorite editor.

you can get the webpage again, using wget (or any other client that gets the page without reading any javascript).

you can inspect the code and contents of the page by using any web-developer extension to your browser.

Is it a good general practice?

It limits the capabilities of your browser on their website. As far as I can think of, the only thing they achieve is a poorer user experience on their website (you cannot use the full capabilities of your browser with their website) and (if we're looking at very naive website owners / managers / other people responsible) a dangerous illusion of security.

Surprisingly often web sites foolishly aren't designed to cope with clicks on "Back" or "Forward" browser buttons. For instance, some banking or e-commerce web sites may commit a transaction twice if you hit "Back". In such cases, there may be a case for trying to disable right-click (where these options are included).

+1 - I somehow missed your answer until right after I posted something very similar. I suspect this is the case, though obviously there are saner ways of doing preventing back/forward navigation from double committing a transaction.
–
dr jimbobFeb 21 '13 at 16:44

Disabling right-click has no impact on security; its completely trivial to get around, though it alone doesn't open up any security holes.

Giving the banking web site the benefit of the doubt -- there possibly could be a non-security effect that they intended from disabling right click. They may want to prevent users from accidentally doing unintended actions on the banking website.

For example, you may be familiar with websites that say only "press submit once" to prevent the form being double submitted. If you press submit twice, then you may initiate a money transfer twice which was not what you intended. Granted, there are much saner ways of accomplishing this (giving each action a unique ID before its submitted, only processing a request once), etc.

Or maybe they have set up the site that if you load a page, visit another page, and press the back button in your browser to go to the original page (versus navigating through their website), the previously visited page will no longer work (e.g., there's a token that expired once you visited a new page). Maybe they feared you would navigate away from a site, and an attacker could then use the computer after you press back a couple of times and get to your banking information. (Again, not the sanest method of accomplishing this goal, versus say a session timeout after 5 minutes of inactivity and encouraging people to logout and not use public computers).

As an example if you do only client side validations in a website which needs more security, you gonna be fail. Do both validations, server and clients.

And main things is - providing security means its not securing the stuffs. It increase the time to break in the system. By disabling right click it can be increased the breaking time by second or two ;)

The only conceivable benefit I could think this could offer would be if they are expecting the casual user to do something stupid that would require a right click. I am not aware of any attack vectors where right clicking on something would cause an exploit to be able to occur though, so I don't see any valid security explanation for this behavior. Perhaps they don't want the user to copy and paste some information and hope the user doesn't know about ctrl-c and ctrl-v?

It is probably intended to make life more difficult for phishing attacks. The idea would be that an attacker needs to create a convincing fake page, and to do so he will naturally try to save images from the real web page, so making it marginally harder to get to the image must be a good thing, right?

Obviously it is completely ineffective and contributes only negative usability, but I'm assuming that's the thinking as I've seen sec products claim that protecting against downloading public web assets has some kind of worth against phishing.

“Disabling” right click entices users like me into turning off JavaScript. So all the other — rather poor — security measures implemented in JavaScript get shut down as well.

That is what I call counter-productive security.

[“Disabling” right click is not really disabling right click. It is trying to disable right click, and it just makes right click more difficult. Some Web browsers even have the option to just ignore this absurd annoyance.]